If you can't read please download the document
Upload
kendra
View
41
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Identity and Context Virtualization The Key to Your IdM Architecture. “Everything You Know About IdM Is Wrong” Neil McDonald, Gartner IAM Summit. Gartner: Contextual Virtual Identity. "By year-end 2009, 80 percent of organizations deploying IAM solutions will use - PowerPoint PPT Presentation
Citation preview
Identity and Context Virtualization The Key to Your IdM Architecture
Everything You Know About IdM Is WrongNeil McDonald, Gartner IAM Summit
Gartner: Contextual Virtual Identity"By year-end 2009, 80 percent of organizations deploying IAM solutions will use virtual directory technology as part of the IAM infrastructure"
Its About Virtualizing Both Identity and Context
Virtual Directories: Valuable Present, Promising FutureMark Diodati, Burton Group Market Leader
TheRadiant Logic VDS product has been in the market for 8 years and is the leader in the virtual directory market
Customer ImplementationVision / NirvanaA Single Secure Identity ServiceSeamless Authentication & Authorization Single point to provision accessInternal & External UsersLevels of Authentication based upon riskEasier access to user object data
Customer ImplementationIdentity Architecture
Our Customers are our Best Testimonials
Identity and Context VirtualizationOne Infrastructure: Many Services
Top 4 Common Use Cases for Identity and Context VirtualizationAuthentication (WAM, Portal, SM, TAM, RSA, Ping)Integrating identities: Internal vs. External, Employees/CustomersetcThe challenges and opportunities brought by Active DirectoryMultiple domains/forests
Authorization (Roles, Rules, SM, RSA,TAM, Policy Server)The challenges and opportunities brought by Active DirectoryContext are generally defined in applications that use databases
Delegated Administrationsegregation of duties specialized contextual views
Global/Enterprise Information Server for structured data (moving from a directory as a context server)
Use Case: Authentication(Identity Union)Challenges:First step in authentication is identification (finding the user entry that needs to authenticate)Identities are spread across multiple data sources (e.g. multiple AD domains/forestsetc)Identities are described differently in each source (e.g. FirstName vs. fname vs. givenName)Second step is credentials checking. Each source supports its own authentication mechanism Different encryption of passwords and schema elements (userPassword vs. unicodePwdetc).Existing internal user IDs, passwords in Active DirectoryExternal users credentials may be stored elsewhere (SunOne, Oracleetc)
Virtualization solves the authentication problemAggregating users from multiple data sources (allow applications to search one common namespace to find the user)Credentials checking can be handled at the virtual directory layer, or by the underlying source (delegated authentication)
Three Main Challenges Associated with the Identification (Search) Phase of the AuthenticationLocating the user where to search for themIf there is more than one place, the challenge becomes where to search and in which order Having a common representation of the user info Schema conversion, objectclass and attributes mapping (e.g. InetorgPerson in Sun vs. User in AD, vs person table in database)Distinguishing between the different identifiers for the same person. LCallahan, LauraC
Authentication Step 1: IdentificationLocate the user entry (based on who logs in)DatabasesDirectoriesApplicationsUser information spread across multiple heterogeneous sources and stored differently
Example: Identification Challenges with Multiple Active Directory Forests/Domainso=vdsou=AD Listou=AD3ou=AD2ou=AD1dc=usou=internalcn=novato_branchActive Dir Domain 1ou=salesou=tempsdc=us.corpou=groupsActive Dir Domain 2ou=Adminou=Condc=cisou=deptActive Dir Domain 3ou=salesou=mktgVDS
Identification: Create an Aggregated List of User EntriesAggregation/linking establish a complete list of User EntriesAll schemas are mapped to a common schemaAll users can be found/identified in the virtual namespace
Aggregation vs. Integration: Union, Intersection (correlation where needed)Reduced sign on is possible only if an identity exists (and has been be detected/correlated) across different security domains
Authentication Step 2: Credentials CheckingAuthentication MechanismPassword encryptions
DatabasesDirectoriesApplicationsPasswords encrypted using custom algorithmPasswords encrypted using SSHAPasswords encrypted using custom algorithm
Authentication Step 2: Credential CheckingMultiple authentication mechanisms supportedDelegated authentication bind request will be sent to underlying directory for processingCustom scripting to leverage the appropriate encryption algorithmClientAuthentication Request
Example: Proxy Authentication Back to the Right Active Directory Domain Controller in a Specific ForestClientAuthentication RequestADunicodePwdsAMAccountNameAuthentication request forwarded to Active DirectoryVDSRE-USE existing users + credentials!
Fifth Third Bank | All Rights Reserved
*
Identity Management (IdM) Technology Stack
Virtual Directory Services (VDS)
Provisioning Engine
Enterprise Directory (ED)
RSA ClearTrust Web Access Management (WAM)
CRM
Mobius
5/3 Direct
53.com
Remote Wire
HR Direct
Other Apps
Primary Identity Store
Enterprise Directory (Sun)
VDS (Radiant)
Provisioning Engine (BMC)
RAFT
Top Secret
AD
Data Warehouse
Application Access Points
Application Layer
Workflow / Provisioning
Directory Adaptor / Common Interfaces
Clean IdM Start. Applications in this picture with VDS use cases identified or in development include: CRM, Direct, 53.com, and Remote Wire.
Use Case: Authorization(Join)Challenges:Profile information exists in multiple data sourcesData sources have their own schema elementsAttributes are different and stored differentlyEach source has its own schema (e.g. user AD vs. inetOrgPerson Sun vs. Employee table Oracle)AttributesmemberOf (AD) groupOfNames (eDirectory)posixGroup (OpenLDAP)Inflexible schema extensions (AD)
Virtualization solves the authorization problemProvides a common schema that all sources can map toAggregates profile information which provides more context about a userWeb access management products can base policy decisions on the information available in the VDSMore attributes available = more fine-grained policies possible
Deployment Details: Schema ExtensionsUSER OBJECTemailpasswordmemberOfdeptEXTUSER OBJECTloginShelluidNumberhome directoryADClient(e.g. TAM requires schema extensions, integrating UNIX/AD posix attributesetc)Access AD attributes plus the required extended attributes
Build a Complete ProfileJoin build a complete, unique profile from information in all data sourcescn = Laura Callahan [email protected] title=Sales Manager employeeID=8
FullName = Laura Callahan ProjectID=2019 UserID=8
First_Name = Laura Last_Name = Callahan Department = Sales EmployeeNo=8
FullName = Laura Callahan [email protected] title=Sales Manager employeeID=8 ProjectID=2019 Department=Sales
ClientCan base authorization on complete profile
Customer ImplementationVirtual Directory Role
Use Case: Delivering Data in Context
Challenge:For Delegated AdministrationExisting hierarchies are relatively flat making them easier to maintain and manage.However, this limits the usefulness of delegated administrationDelegated administration requires a hierarchy based on how you want to delegate
How does a virtualization layer deliver data in context?Reconfigure existing directory trees to make more meaningful views for delegated administrationBased on the data available in the entries, different hierarchies are possible (e.g. based on: Country -> State -> City, Management (org chart), Job Descriptionetc)
Virtual View Based on LocationCountryStateCity
Virtual View Based on Org ChartTop ManagerFull Management Hierarchy
Virtual View Based on Role, Location and TerritoryRoleLocationTerritory
Use Case: Global Directory and Enterprise searchProblems:Mergers and Acquisitions result in numerous enterprise directories/databases that require integration/aggregationActive DirectoryHR SystemsCustomer databasesOften times, applications that consume data can only connect to a single directory
How does a virtualization layer help build a Global/Enterprise Directory?Aggregate multiple data sources into a common directory namespaceNo changes (to schema or data) required in the underlying directoriesFast implementation and configurationRe-use existing data rather than rebuild a new directory where data is synchronized into.
Customer Implementation7Abstraction Layers
Aggregate Existing Data SourcesHelp DeskERPHRKnowledgeManagementWhite PagesCRMClientTalk to a single directorydc=Global Directory
Data Sources with Common Users (with existing common key)With unique common keyJoins based on common key
cn = Laura Callahan [email protected] title=Sales Manager employeeID=8
FullName = Laura Callahan ProjectID=2019 UserID=8
First_Name = Laura Last_Name = Callahan Department = Sales EmployeeNo=8
FullName = Laura Callahan [email protected] title=Sales Manager employeeID=8 ProjectID=2019 Department=Sales
Data Sources with Common Users (NO Existing Common Key)Without unique common keyVirtualization alone cannot detect duplicate usersRequires Identity correlation and reconciliationMatching rules to determine common users across the sources
HRAccountingCRMGlobal Identity HubReference/pointersData SourcesMatching RulesGlobal Directory Entry
Customer Implementation
Customer Implementation
is essentially an integration challenge the lack of an integrated view of identityOne entry point to access all Active Directory domains/forests (mount all AD domains into the virtual namespace)* Here mention that will revisit this case a bit later when we look at the existence of a common key /identifier across the virtualized sources